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REMARKS IN SUPPORT OF IBE PRE-AITEAX' BRIEF 

BEQUEST FOR REVIEW 



Dear Sir: 



In response to the Final 0£Bce Action mailed My 23» 2007, (hereinafter, 'Tinal OfiSce Action'^ 
and further pirauantt to ttie Notice of Aweal and Pre-Appeal Brief Request fiw: Review submitted 
herewith. Applicants respectfully request review and reconsidexatxon of the Final Office Action in view of 
the followmg issues. 

1. The Asserted Reference of Mbnui is Missing 9ii Element of Each of the Claims 
Applicants trav^se the rejeotion of claims 1. 10, and IS under 35 U.S.C. §102(e) as anticipated 
by U.S. Patent No. 6,647,400 C^Moran"), at page 4 of the Final OfiBce Action. Moran does not disclose 
upon identifying a mismatch in compared digital signatures^ issuing an i nstruction to record an entryJna 
log file located in a second remote database, said entry identifying a possible intrusion in a host, as recited 
in claim L Rather, Moran discloses that if there is a mismatch of signatures, and if the mismatch is not 
expected, the file associated with the signature is flagged as su^icious. See Moran, coL 32, lines 56-58* 
Moran also discloses a sensor controller 3 10 that flogx pass infoimation to an event database and a system 
that collects data related to logins with multiple sensors. See Moran, coL 8, lines 13-16 and col. 23, lines 
35-46. Moran does not explicitiy disclose issuing an instmctton to record an entxv in a remote database 
when a signature mismatch is discovered. Therefore, Moran does not disclose each and every element of 
claim 1. Hence, claim 1 is allowable. 
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Moran does not disclose or suggest a log database iliat is remote jOrom Hxe host aad recording 
entries correspoading to mismatches between a digital signature stored in the host and a corresponding 
diigital sigoatuxe in the digital signature database, as recited in claim 10. Instead, Moran discloses that if a 
mismatch of signatures is discovered and if fbe mismatch is not expected, die file is flagged as snspicious. 
See Moran, col. 32, lines 56-58. Moran also discloses a sensor controller 3 10 that may pass information 
to an event database md a system that collects data related to logins with multiple sensors. See Moran, 
coL 8, lines 13»16 and col. 23, lines 35-46. Howev^, Moran does not explicitly disclose a log database 
that is ngmateJtom the host and recording entries corresponding to digital signature mismatches. 
Therefore, Moran does not disclose each and every element of claim 10. Hence, claim 1 0 is allowable. 

Moian does not disclose computer readable program code mcluding executable instructions to 
issue an insizudion to record an enfxy in a log file located in a second remote database upon identifying a 
mismatch in compared digital signatures, said entry identifying a possible intrusion in a host, as recited in 
claim 15. Instead^ Moran discloses that if a mismatch of signatures is discovered and if the mismatch is 
not expected, the file is flagged as suspicious . Moran, coL 32, lines 56-58. Moran does not explicitly 
disclose issuing atLinstniction to record an entry in a log file located in a ce mote database upon 
idmtifying a digital signature mismatch. Therefore, Moran does not disclose or suggest each and eveiy 
element of claim 15. Hence, claim 15 is allowable. 

2, The Asserted Combination of Moran and Trostle is Missing an Element of Each of the Claims 

Applicants traverse the rcgection of claims 2-9, 1 1-14, and 16-24, at paragraphs 6 and 7 of the 
Office Action, under 35 U.S.C. § 103(a), as being unpatentable over Moran in view of by U.S. Patent No- 
5,919^57 (trostle"). 

As e}q)Iained pieviously, Moran does not disclose all elements of claim 1, from which claims 2-9 
depend Tiostle does not disclose or suggest the elements of claim 1 not disclosed by Moran. For 
example, Trosde does not disclose upon identi^ing a mismatch in compared digital signatures, issuing an 
instrucdon to recoid an entry in a log file located in a second remote database, said entry identifying a 
possible intrusion in a host, as recited in claim L In contrast, Trostle discloses a logta process in whidi if 
an invalid password has been entered, a server increments an intruder detection counter, and if a 
maximum number of unsuccessful attempts to enter a correct password has been exceeded, aNetwork 
Interfece Card (NIC) may be disabled to prevent subsequent workstation/server communication, or the 
workstation may be completely disabled. See Trostle, Fig. 5, col. 5, lines 49-65, and col. 6, Imes 29-30, 
col. 6, lines 30-40, Trostle also discloses that during pre-boot, the networked woikstation performs an 
intrusion detection hashing function on selected executable programs in order to detect unauthorized 
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changes to the selected woikstation executable programs and if illicit changes are detected, theiiser_or 
network system administrator is notified in order to take corrective action. See Tiostle^ Abstract and col. 
2, line 61 - coL 3, line 2. Trestle does not disclose issuing an instruction to record an entry in a lop file 

located in a remote database, the enliy identifying a possible intrusion in a host Hierefore, Moran and 
Trosde, separately or in combination» fail to disclose each and every element of claim 1, or of claims 2-9, 
which depend fiom claim L Therefore^ claims 2-9 are allowable, at least by virtue of their dependence 
from claim 1. 

Furdier, the dependent claims recite additional features that are not disclosed by the cited 
references. For example, Moran does not disclose issuing a command to an operating system of the host 
to bring the host to a single user state upon identifying a mismatch in compared digital signatures, as 
recited in claim 3. Further, Trestle does not disclose this element Instead, Trestle discloses that if a 
maximum number of unsuccessful attempts to enter a conect password has been exceeded, a Network 
hiterface Caid fNIC) may be disabledJp prevent subsequent work station/server communication, or the 
workstation may be completely disabled. See Trostle, col. 6, lines 30-40, and Fig. 5. Thus, in contrast to 
claim 3, Trostle_disables the NIC, shuttmg down a connection to the network server. or_dis ables the 
workstation. For this additional reason, claim 3 is allowable. 

As explafaied above, Moran does not disclose or suggest each and eveiy element of claim 10, 
fix>m which claims 1 1-14 depend. Tiostle does not disclose or suggest the elements of claim 1 0 that are 
• not disclosed by Moian. For example. Trestle does not disease a log database remote from the host 
recording entries conespondijQig to mismatches between a digital siguature stored in the host and a 
corresponding digital signature in the digital signature database, as recited in claim 10. In contrast to 
claim 10, Tiosde discloses a login process in which a user enters a user name and a password for 
validation, and if an invalid password has been entered, a server increments an intruder detection counter. 
See Trostle, col. 5. lines 49-65, col 6, lines 29-30, and Fig. 5. Applicants submit tfaa(t a password is not 
equivalent to a digital signature. In further contrast to claim 10, Ttostle discloses that if illicit changes in 
selected workstation eocecutable programs are detected through compaziaon of oemputed hash values of 
executable programs with trusted hash values downloaded fiom a server, a user or network system 
ar^ mini'j^trator IS notified to take corrective action . See Trestle, Abstract, and col. 2, line 61 - col. 3, line 2. 
Trestle does not disclose a log database remote from the host the log database to record entries 
corresponding to digital signature mismatehes. Thenefcm, Moran and TrostlCj, separately or in 
combination, &il to disclose each and eveiy element of claim 1 0, or of claims 1 1-14, which depend from 
claim 10. Hence claims 1 1-14 are allowable over the asserted combination. 
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As explained above^ Moran does not disclose each and evqry element of claim IS, fit>ni v/tdch 
claim 16 and 17 depend. Trosfle does not disclose or suggest the elements of claim IS that are not 
disclosed by Moran. For example, Trostle does not disclose computer readable program code including 
executable instrucdons to issue an instruction to record an entry in.a log file located in a second remote 
database upon identifying a mismatch in compared digital signatures^ said entry idooftxfying a possible 
intrusion in a host, as recited m claim IS. Instead* Trostle discloses that if an invalid password has been 
entered, a s^er increm^Krts an intruder detection counter. See Trostle, Fig. S, and col. 6, lines 29-30. In 
further oontiast to claim 15, Trostle discloses that the networked workstation performs an intrusion 
detection I:iashing function on selected executable programs^ and if illicit changes are detected, the user or 
network System administrator is notified in order to take corrective action* See lYostle, Abstract^ and col. 
2, line 61 - col. 3, line 2. Trostle does not disclose issuing an instruction to recoind an entry in a log file 
located in a r^ote ^^ faha^i the entry identiiymg a possible intrusion in a host Thus Moran and Trostle, 
separately or in combination, £sul to disclose or suggest each and every element of claim 15, or of claims 
16 and 17, at least by virtue of their dependence from allowable claim 15. Hence^ claims 16 and 17 are 
allowable. 

Further^ the Office admits tbat Moran does not disclose computer readable program code 
comprising executable instructions to issue a command to an operatmg system of said host to bring said 
host to a single user state upon identifying the mismatch in compared digital signatures^ as recited in 
claim 17. See Office Action dated Feb. 22, 2007, page 10. In contrast to claim 17, Trostle discloses 
locking a user out when a m?yi'y"^tn number of allowable unsuccessful logins has been exceeded by 
disablmg the tJlC . See Trostle, Fig. 5, step 100, and col. 6, lines 30-42, Thus, in contrast to claim 17, 
Trosde disables the NIC, shutting down a connection to tfae network server . For this additional reason, 
claim 1 7 is allowable. 

None of the cited references, mcluding Moran and Trostle, separately or in combination, discloses 
each and every element of claim 18. For example, Moran does not disclose upon identifying a mismatch 
of digital signatures, transmitting an instrucdon to a f emote lop database via said one or m ore network 
mterfaoes. said instruction executed in said remote lo g database to record an entrv in a lo^ file mdicadng 
a possible intrusion in said host, as recited in claim 1 8. In contrast to claim 18, Moran discloses that if 
there is a mismatch of signatures, an analysis engine checks if the mismatch is expected and if not, the file 
is flagged as suspicious. See Moran, col. 32, Dnes. 56-58. Moran also discloses a sensor controller 310 
that may pass infonnation to an event database and a system that collects date related to logins with 
multiple sensors. See Moran, col. 8, Imes 13-16 and coL 23, Imes 35-46. However. Moran does not 
e3q)licifly disclose upon identifymg a mismatch of digital signatures, tranitTmttfiip an matmction to a 

Page 4 of 5 us. App. No.: lO/tia5.6S9 

PAGE 9/10 ' RCVD AT 10/19/2007 3:25:29 PM [Eastern Daylight Time] ' SVR:USPTO-EFXRF-5/20 ' DNIS:2738300 ' CSID:5123275575 ' miM (min-ss):0240 



•OCT. 19. 2007 3:18PM TOLER SCHAFFER RECEIVED" NO. 048 P. 10/10 

CENTRAL FAX CENTER 

OCT 1 9 2007 Attomey Docket No.: 1033-T00534C 

remote log database via one or more netwctk itatetfaces, ttoJnstn^ executed in the remote log 
database to record an entry in a logiHe . Furth^, Trosde does not disclose this element of claim 1 8. 
Instead. Tiostle discloses Ibat if an invalid oasswOTd has been entered, a server increments an inmider 
detection counter. See Trostle^ Fig. 5^ and col. 6, lines 29-30. In further contrast to claim IS, Trostle 
discloses comparing a computed hash value of an executable program to a trusted hash value to detect 
illicit changes in the executable prograni, and notifying the user or ^stem administrator if changes are 
detected. &6Trostle9Col.2,line4S-coL3,Iine2. Tmgtle does not disclose issuing an instruction to 
record an entrv in a log file located in a remote database, the entty identifying a possible intrusion in a 

9 

host Hence, claim 18 is allowable over Mdran and Trostle, and claims 19-24, which depend fiom claim 
18^ are also allowable. 

CONCLUSION 

Applicants have pointed out specific features of the claims not disclosed, suggested, or rendered 
obvious by the references applied in the Office Action. Accordingly, Applicants respectfully request 
reconsideration and withdrawal of each of the rejections, as well as an indication of the allowability of 
each of the pending claims 

The Commissioner is hereby authorized to charge any fees, which may be required, or credit any 
overpayment, to Deposit Account Number 50-2469. 



RespectfuUy submitted^ 





Date Jefft^ G. Toler, Reg. No, 38,342 

Attorney for Applicants 
TOLER SCHAFFER LLP 
8500 BluSEstone Cove, Suite A201 
Austin, Texas 78759 
(512) 327-5515 (phone) 
(512)327-5575 (fex) 
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